@pugi/cli 0.1.0-alpha.10

package/dist/core/bash-classifier.js

@@ -0,0 +1,1001 @@
+/**
+ * Bash command classifier — Sprint α5.2 (ADR-0056 PR-PUGI-CLI-M1-GAP-B).
+ *
+ * Splits a shell command into a 7-class taxonomy so the permission
+ * engine can apply class-aware policy instead of the prior bool gate
+ * (`destructiveBashPatterns ? deny : ask`).
+ *
+ * Design notes:
+ *   - The classifier is a conservative pattern matcher, not a full
+ *     bash AST parser. M2 will replace it with a real parser (see
+ *     bash-security.md §4). For M1 the rules are explicit-substring +
+ *     simple tokenization, which is good enough to gate every command
+ *     the engine loop currently emits.
+ *   - Compound commands (`a && b`, `a || b`, `a ; b`, `a | b`) are
+ *     split on the four separators and every component is classified
+ *     individually. The overall class is the most dangerous component.
+ *   - The `destructive` patterns originally lived in
+ *     `permission.ts::destructiveBashPatterns`. They are now the
+ *     single source of truth here; `permission.ts` re-exports the
+ *     hard-deny check through `classifyBash`.
+ *   - The `unknown` class fires on parse failure (`eval`, deep
+ *     `$(...)` nesting, `curl | sh` install pipes) so the permission
+ *     engine can fail closed in interactive modes.
+ */
+/**
+ * Class rank for worst-component reduction in compound commands.
+ *
+ * `unknown` ranks ABOVE `read` and `build_test` so that a chain like
+ * `pwd && bash ./payload.sh` does not silently disarm the fail-closed
+ * unknown gate when the worst-component loop reduces over the
+ * components. The matrix in `permission.ts` treats `unknown` as
+ * `deny` in `plan`/`dontAsk` and `ask` everywhere else; this rank
+ * placement preserves that fail-closed posture for compounds while
+ * still letting genuine `write_workspace`, `network`, `write_protected`
+ * and `destructive` components win when they appear.
+ *
+ * Code Reviewer P0 retro 2026-05-24: previously `unknown: 0` meant
+ * `read` (rank 1) won over `unknown` (rank 0) in the worst-component
+ * reduction. That bypassed the file-level promise of fail-closed on
+ * parse failure.
+ */
+const CLASS_RANK = {
+    destructive: 7,
+    write_protected: 6,
+    write_workspace: 5,
+    network: 4,
+    unknown: 3,
+    build_test: 2,
+    read: 1,
+};
+const DESTRUCTIVE_PATTERNS = [
+    // Filesystem wipe
+    { pattern: 'rm -rf /' },
+    { pattern: 'rm -rf ~' },
+    { pattern: 'rm -rf .' },
+    { pattern: 'rm -rf *' },
+    { pattern: 'rm -rf "/' },
+    { pattern: 'rm -rf "~' },
+    { pattern: 'rm -rf .git' },
+    { pattern: 'rm -r /' },
+    { pattern: 'rm -r ~' },
+    { pattern: 'rm -r .git' },
+    { pattern: 'sudo rm -rf' },
+    { pattern: 'sudo rm -r' },
+    { pattern: 'dd if=/dev/zero' },
+    { pattern: 'dd if=/dev/random' },
+    { pattern: 'dd of=/dev/' },
+    { pattern: 'mkfs' },
+    { pattern: 'shred ' },
+    { pattern: 'wipefs' },
+    { pattern: '> /dev/sda' },
+    { pattern: '> /dev/disk' },
+    // Permission wipe
+    { pattern: 'chmod 777 /' },
+    { pattern: 'chmod -R 777 /' },
+    { pattern: 'chmod -R 777 ~' },
+    { pattern: 'chown -R root /' },
+    { pattern: 'chown -R / ' },
+    // Shell tricks
+    { pattern: ':(){ :|:& };:' },
+    { pattern: 'eval "$' },
+    { pattern: "eval '$" },
+    // Git history loss
+    { pattern: 'git reset --hard' },
+    { pattern: 'git clean -fdx' },
+    { pattern: 'git push --force origin main' },
+    { pattern: 'git push -f origin main' },
+    { pattern: 'git push --force origin master' },
+    { pattern: 'git push -f origin master' },
+    { pattern: 'git push --force origin production' },
+    { pattern: 'git push -f origin production' },
+    // Container / infra
+    { pattern: 'docker system prune' },
+    { pattern: 'docker rm -f $(docker' },
+    { pattern: 'kubectl delete --all' },
+    { pattern: 'kubectl delete namespace' },
+    { pattern: 'terraform destroy' },
+    // SQL destructive (case-insensitive — model can emit any case).
+    { pattern: 'DROP DATABASE', caseInsensitive: true },
+    { pattern: 'DROP TABLE', caseInsensitive: true },
+    { pattern: 'TRUNCATE TABLE', caseInsensitive: true },
+    // Firewall / network
+    { pattern: 'ufw disable' },
+    { pattern: 'iptables -F' },
+    { pattern: 'iptables --flush' },
+    // Credential exfil
+    { pattern: 'cat ~/.ssh/id_rsa' },
+    { pattern: 'cat ~/.ssh/id_ed25519' },
+    { pattern: 'gpg --export-secret' },
+    // SSH config write paths (reads are OK; only redirections/tee block)
+    { pattern: '> sshd_config' },
+    { pattern: '>> sshd_config' },
+    { pattern: '> /etc/ssh/sshd_config' },
+    { pattern: '>> /etc/ssh/sshd_config' },
+    { pattern: 'tee sshd_config' },
+    { pattern: 'tee /etc/ssh/sshd_config' },
+    { pattern: 'tee -a sshd_config' },
+    { pattern: 'tee -a /etc/ssh/sshd_config' },
+    // History destruction
+    { pattern: 'history -c' },
+    { pattern: ' >/dev/null 2>&1; rm' },
+];
+/**
+ * Compound separators. We split on `&&`, `||`, `;`, `|` to classify
+ * each component, then pick the most dangerous. `&` (background fork)
+ * is intentionally NOT a separator — backgrounding does not change
+ * what runs, only when.
+ */
+const COMPOUND_SEPARATORS = /\s*(?:&&|\|\||;|\|)\s*/;
+/**
+ * Split a shell command on compound separators (`&&`, `||`, `;`, `|`)
+ * while RESPECTING quoted strings (`'...'`, `"..."`, `` `...` ``) so
+ * that script bodies passed to `awk`, `sed`, `perl`, `python -c` are
+ * not mis-split when they contain bare `;` or `|` glyphs.
+ *
+ * Code Reviewer P0 retro 2026-05-24: a naive regex split on
+ * `awk 'BEGIN { for (i=0;i<5000;i++) ... }'` produces 3 components
+ * (the awk script header + two for-loop fragments) that get
+ * classified as `unknown` each and — with the unknown:3 rank above
+ * read:1 — escalate the overall verdict to `unknown`, breaking
+ * legitimate read-class scripts.
+ */
+function splitCompoundRespectingQuotes(cmd) {
+    const out = [];
+    let buf = '';
+    let inSingle = false;
+    let inDouble = false;
+    let inBacktick = false;
+    for (let i = 0; i < cmd.length; i += 1) {
+        const ch = cmd[i];
+        const prev = i > 0 ? cmd[i - 1] : '';
+        if (ch === '\\') {
+            buf += ch;
+            if (i + 1 < cmd.length) {
+                buf += cmd[i + 1];
+                i += 1;
+            }
+            continue;
+        }
+        if (!inDouble && !inBacktick && ch === "'") {
+            inSingle = !inSingle;
+            buf += ch;
+            continue;
+        }
+        if (!inSingle && !inBacktick && ch === '"') {
+            inDouble = !inDouble;
+            buf += ch;
+            continue;
+        }
+        if (!inSingle && !inDouble && ch === '`') {
+            inBacktick = !inBacktick;
+            buf += ch;
+            continue;
+        }
+        if (!inSingle && !inDouble && !inBacktick) {
+            // `&&`
+            if (ch === '&' && cmd[i + 1] === '&') {
+                out.push(buf.trim());
+                buf = '';
+                i += 1;
+                continue;
+            }
+            // `||`
+            if (ch === '|' && cmd[i + 1] === '|') {
+                out.push(buf.trim());
+                buf = '';
+                i += 1;
+                continue;
+            }
+            // `;` (single semicolon, not part of `;;`)
+            if (ch === ';' && cmd[i + 1] !== ';' && prev !== ';') {
+                out.push(buf.trim());
+                buf = '';
+                continue;
+            }
+            // bare `|` (single pipe, not `||` and not `|&`)
+            if (ch === '|' && cmd[i + 1] !== '|' && cmd[i + 1] !== '&') {
+                out.push(buf.trim());
+                buf = '';
+                continue;
+            }
+        }
+        buf += ch;
+    }
+    const tail = buf.trim();
+    if (tail !== '')
+        out.push(tail);
+    return out.filter((s) => s !== '');
+}
+/** Network commands. */
+const NETWORK_TOKENS = new Set([
+    'curl',
+    'wget',
+    'ssh',
+    'scp',
+    'rsync',
+    'nc',
+    'netcat',
+]);
+const NETWORK_PREFIXES = [
+    'git clone',
+    'git fetch',
+    'git pull',
+    'git push',
+    'npm install',
+    'npm i ',
+    'npm ci',
+    'pnpm install',
+    'pnpm i ',
+    'pnpm add',
+    'yarn install',
+    'yarn add',
+    'pip install',
+    'pip3 install',
+    'brew install',
+    'brew upgrade',
+    'apt-get',
+    'apt install',
+    'yum install',
+    'dnf install',
+    'docker pull',
+    'docker push',
+    'cargo install',
+    'go get',
+    'go install',
+];
+/**
+ * Build / test prefixes. These are common enough that the permission
+ * engine grants them auto in `acceptEdits`/`auto` modes (the rule of
+ * thumb is "ask first time, then allow rule" per bash-security.md §3).
+ *
+ * IMPORTANT: every prefix here must NOT also match a network installer
+ * (we handle `npm install` / `pnpm install` before this list).
+ */
+const BUILD_TEST_PREFIXES = [
+    'pnpm test',
+    'pnpm build',
+    'pnpm typecheck',
+    'pnpm lint',
+    'pnpm run test',
+    'pnpm run build',
+    'pnpm run typecheck',
+    'pnpm run lint',
+    'npm test',
+    'npm run build',
+    'npm run lint',
+    'npm run typecheck',
+    'npm run test',
+    'yarn test',
+    'yarn build',
+    'yarn lint',
+    'cargo test',
+    'cargo build',
+    'cargo check',
+    'go test',
+    'go build',
+    'go vet',
+    'pytest',
+    'jest',
+    'vitest',
+    'make test',
+    'make build',
+    'make check',
+    'mvn test',
+    'mvn package',
+    'gradle test',
+    'gradle build',
+    'tsc --noEmit',
+    'tsc -p',
+    'eslint',
+    'prettier --check',
+];
+/** Single-token read-only commands. Argument-free entries match exact. */
+const READ_TOKENS = new Set([
+    'pwd',
+    'ls',
+    'cat',
+    'head',
+    'tail',
+    'wc',
+    'which',
+    'whereis',
+    'file',
+    'stat',
+    'du',
+    'df',
+    'echo',
+    'printenv',
+    'env',
+    'date',
+    'uname',
+    'hostname',
+    'id',
+    'whoami',
+    'true',
+    'false',
+    'basename',
+    'dirname',
+    'realpath',
+    // `sleep` has no FS/network/proc impact beyond a timer; treated as
+    // read so background jobs can use it without tripping the unknown
+    // gate. Same logic for the no-op coreutils below.
+    'sleep',
+    'yes',
+    'seq',
+    'tr',
+    'cut',
+    'sort',
+    'uniq',
+]);
+const READ_PREFIXES = [
+    'git status',
+    'git log',
+    'git diff',
+    'git show',
+    'git branch',
+    'git remote',
+    'git rev-parse',
+    'git ls-files',
+    'git config --get',
+    'less ',
+    'more ',
+    'grep ',
+    'rg ',
+    'fd ',
+    'tree',
+];
+/** Write_workspace prefixes. Destination boundary is checked separately. */
+const WRITE_WORKSPACE_PREFIXES = [
+    'mkdir',
+    'touch',
+    'cp ',
+    'mv ',
+    'ln ',
+    'git commit',
+    'git add',
+    'git checkout',
+    'git switch',
+    'git restore',
+    'git stash',
+    'git tag',
+    'git rebase',
+    'git merge',
+];
+/**
+ * Protected-write triggers. If a command writes to any of these paths
+ * the class is `write_protected` regardless of the operation type.
+ *
+ * Wildcards are handled as substring matches (e.g. `/.ssh/` matches
+ * `~/.ssh/foo` and `/Users/x/.ssh/bar`).
+ */
+const PROTECTED_PATH_SUBSTRINGS = [
+    '/.ssh/',
+    '/.aws/',
+    '/.gnupg/',
+    '/.config/',
+    '~/.ssh/',
+    '~/.aws/',
+    '~/.gnupg/',
+    '~/.config/',
+    '~/.npmrc',
+    '~/.pypirc',
+    '~/.bashrc',
+    '~/.zshrc',
+    '~/.profile',
+    '~/.bash_profile',
+    '/etc/',
+    '/usr/',
+    '/var/',
+];
+/**
+ * Obfuscation triggers — any of these forces the `unknown` class so
+ * the permission engine can fail closed.
+ */
+const OBFUSCATION_TRIGGERS = [
+    { needle: 'curl', reason: 'curl piped into shell installer' },
+    { needle: 'wget', reason: 'wget piped into shell installer' },
+];
+/**
+ * Classify a single (non-compound) command component.
+ *
+ * Order of checks (most-specific first):
+ *   1. destructive substring (hard deny path)
+ *   2. obfuscation (curl|sh, deep $() nesting, raw eval)
+ *   3. cd-escape (covered by classifyBash for the overall command;
+ *      single-component cd is handled here too)
+ *   4. protected-write (redirection or write op into a protected path)
+ *   5. write_workspace (mkdir/touch/cp/mv/git-write etc)
+ *   6. network (curl/wget/ssh/installers)
+ *   7. build_test (pnpm test, cargo build, ...)
+ *   8. read (pwd, ls, cat, ...)
+ *   9. unknown (default)
+ */
+function classifyComponent(cmd, ctx) {
+    const trimmed = cmd.trim();
+    if (trimmed === '') {
+        return { class: 'unknown', reason: 'empty component', matched: '' };
+    }
+    // 1. Destructive hard-deny patterns.
+    const destructive = findDestructiveMatch(trimmed);
+    if (destructive) {
+        return {
+            class: 'destructive',
+            reason: `Destructive command pattern matched: ${destructive}`,
+            matched: destructive,
+        };
+    }
+    // 2. Obfuscation — curl|sh, wget|bash, deep $() nesting, raw eval.
+    const obfuscation = detectObfuscation(trimmed);
+    if (obfuscation) {
+        return {
+            class: 'unknown',
+            reason: obfuscation.reason,
+            matched: obfuscation.matched,
+        };
+    }
+    // 3. find with -delete / -exec is destructive-adjacent.
+    if (/\bfind\b[^|;]*\s-(?:delete|exec\b)/.test(trimmed)) {
+        return {
+            class: 'destructive',
+            reason: 'find with -delete or -exec is treated as destructive',
+            matched: 'find ... -delete|-exec',
+        };
+    }
+    // 4. Protected-write check (redirection OR write op into protected path).
+    const protectedWrite = detectProtectedWrite(trimmed, ctx);
+    if (protectedWrite) {
+        return {
+            class: 'write_protected',
+            reason: protectedWrite.reason,
+            matched: protectedWrite.matched,
+        };
+    }
+    // 4a. Protected-read check. Reads from credential / config paths
+    // (`cat ~/.aws/credentials`, `head ~/.npmrc`, `grep . ~/.ssh/id_ed25519`,
+    // `tail -f ~/.bash_history`) classify as `write_protected` so the
+    // permission matrix gates them in plan/dontAsk and asks elsewhere.
+    // The hard-coded DESTRUCTIVE entries for `cat ~/.ssh/id_rsa` /
+    // `cat ~/.ssh/id_ed25519` still win when matched (they run before
+    // this check).
+    //
+    // Code Reviewer P0 retro 2026-05-24: previously these reads fell
+    // through to READ_TOKENS and were allowed in every mode.
+    const protectedRead = detectProtectedRead(trimmed);
+    if (protectedRead) {
+        return {
+            class: 'write_protected',
+            reason: protectedRead.reason,
+            matched: protectedRead.matched,
+        };
+    }
+    // 4b. .env writes are always protected, even inside the workspace
+    // (CEO directive feedback_never_delete_untracked_env.md).
+    const envWrite = detectEnvWrite(trimmed);
+    if (envWrite) {
+        return {
+            class: 'write_protected',
+            reason: envWrite.reason,
+            matched: envWrite.matched,
+        };
+    }
+    // 5. Write_workspace ops (mkdir / touch / cp / mv / git commit / etc).
+    for (const prefix of WRITE_WORKSPACE_PREFIXES) {
+        if (trimmed.startsWith(prefix)) {
+            return {
+                class: 'write_workspace',
+                reason: `Workspace write op: ${prefix.trim()}`,
+                matched: prefix.trim(),
+            };
+        }
+    }
+    // 5b. Shell redirection (`>`/`>>`) without a protected target →
+    // workspace write. Pipes (`|`) are not redirections. The regex
+    // allows optional whitespace around `>` (catches `>file`, `> file`,
+    // `>>file`, `>> file`) and skips file-descriptor redirects
+    // (`>&1`, `2>&1`, `>&2`).
+    if (/(^|[^0-9&])>>?\s*[^&\s|;<>]/.test(trimmed) &&
+        !trimmed.includes('/dev/null')) {
+        return {
+            class: 'write_workspace',
+            reason: 'Shell redirection into a workspace target',
+            matched: '>',
+        };
+    }
+    // 6. Network commands.
+    const network = detectNetwork(trimmed);
+    if (network) {
+        return {
+            class: 'network',
+            reason: network.reason,
+            matched: network.matched,
+        };
+    }
+    // 7. Build/test runners.
+    for (const prefix of BUILD_TEST_PREFIXES) {
+        if (trimmed === prefix || trimmed.startsWith(`${prefix} `)) {
+            return {
+                class: 'build_test',
+                reason: `Build/test runner: ${prefix}`,
+                matched: prefix,
+            };
+        }
+    }
+    // 7b. Bare `make` (no subcommand) is build-class.
+    if (trimmed === 'make' || trimmed.startsWith('make ')) {
+        return { class: 'build_test', reason: 'make runner', matched: 'make' };
+    }
+    // 7c. Bare `cd <path>` (inside workspace — the cwd-escape detector
+    // upgrades the class to write_protected when the target is
+    // outside). Standalone `cd` (HOME) is escape, also handled by the
+    // cwd-escape detector.
+    if (/^cd(\s+\S+)?\s*$/.test(trimmed)) {
+        return { class: 'read', reason: 'cd inside workspace', matched: 'cd' };
+    }
+    // 8. Read-only commands.
+    const firstToken = trimmed.split(/\s+/)[0] ?? '';
+    if (READ_TOKENS.has(firstToken)) {
+        // `sed` and `awk` are allowed only without `>` (already gated by
+        // step 5b above) — they fall through to here when they are pure
+        // reads. We list them explicitly for clarity even though set
+        // membership is the source of truth.
+        return { class: 'read', reason: `Read-only command: ${firstToken}`, matched: firstToken };
+    }
+    for (const prefix of READ_PREFIXES) {
+        if (trimmed === prefix.trim() || trimmed.startsWith(prefix)) {
+            return {
+                class: 'read',
+                reason: `Read-only command: ${prefix.trim()}`,
+                matched: prefix.trim(),
+            };
+        }
+    }
+    // sed/awk: read-only when no `>` redirect (the redirect branch above
+    // catches the write case).
+    if (firstToken === 'sed' || firstToken === 'awk') {
+        return { class: 'read', reason: `Stream editor as read: ${firstToken}`, matched: firstToken };
+    }
+    // `find` without -delete / -exec is a read.
+    if (firstToken === 'find') {
+        return { class: 'read', reason: 'find (no -delete/-exec)', matched: 'find' };
+    }
+    // 9. Default: unknown.
+    return {
+        class: 'unknown',
+        reason: `Unrecognized command: ${firstToken || trimmed}`,
+        matched: firstToken || trimmed,
+    };
+}
+function findDestructiveMatch(cmd) {
+    const upper = cmd.toUpperCase();
+    for (const { pattern, caseInsensitive } of DESTRUCTIVE_PATTERNS) {
+        if (caseInsensitive) {
+            if (upper.includes(pattern))
+                return pattern;
+        }
+        else if (cmd.includes(pattern)) {
+            return pattern;
+        }
+    }
+    return null;
+}
+function detectObfuscation(cmd) {
+    // Raw `eval` with shell expansion. (`eval "$VAR"` is already in
+    // DESTRUCTIVE_PATTERNS — this catches the more general case of
+    // `eval $(...)`, `eval `...``, etc.)
+    if (/(^|\s)eval\s+[`$"']/.test(cmd)) {
+        return { reason: 'eval with shell expansion is treated as unknown', matched: 'eval' };
+    }
+    // `bash -c '...base64-decoded...'` — base64-decoded payloads are
+    // a common obfuscation. We trigger on the substring `base64 -d`
+    // anywhere in the command.
+    if (/\bbase64\s+-d\b/.test(cmd) || /\bbase64\s+--decode\b/.test(cmd)) {
+        return { reason: 'base64 decode pipeline is treated as unknown', matched: 'base64 -d' };
+    }
+    // Deep nested `$(...)` — more than 3 levels of nesting is treated
+    // as obfuscation.
+    if (nestingDepth(cmd, '$(', ')') > 3) {
+        return { reason: 'deeply nested command substitution', matched: '$(...)' };
+    }
+    if (nestingDepth(cmd, '`', '`') > 3) {
+        return { reason: 'deeply nested backtick substitution', matched: '`...`' };
+    }
+    // `curl ... | sh`, `wget ... | bash` — remote installer pipe.
+    // We require the entire command (including pipes) to contain both
+    // the network fetcher and the shell receiver.
+    for (const trigger of OBFUSCATION_TRIGGERS) {
+        if (cmd.includes(trigger.needle) && /\|\s*(?:sh|bash|zsh|fish)\b/.test(cmd)) {
+            return {
+                reason: `${trigger.reason}: ${trigger.needle} | <shell>`,
+                matched: `${trigger.needle} | sh`,
+            };
+        }
+    }
+    return null;
+}
+function nestingDepth(cmd, open, close) {
+    if (open === close) {
+        // Backtick pair — count occurrences / 2 for matched pairs and
+        // approximate "depth" as `pairs > 3` triggers.
+        const count = (cmd.match(new RegExp(escapeRegex(open), 'g')) ?? []).length;
+        return Math.floor(count / 2);
+    }
+    let depth = 0;
+    let max = 0;
+    for (let i = 0; i < cmd.length; i += 1) {
+        if (cmd.startsWith(open, i)) {
+            depth += 1;
+            max = Math.max(max, depth);
+            i += open.length - 1;
+        }
+        else if (cmd.startsWith(close, i) && depth > 0) {
+            depth -= 1;
+        }
+    }
+    return max;
+}
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function detectProtectedWrite(cmd, ctx) {
+    // Surface every write target this command produces so we can both
+    // protected-path-check and outside-workspace-check them uniformly.
+    // Captures `sort -o`, `uniq <in> <out>`, `sed -i` files, `awk '... > "file"'`,
+    // and `>` / `>>` redirections without surrounding whitespace.
+    const writeTargets = extractWriteTargets(cmd);
+    for (const needle of PROTECTED_PATH_SUBSTRINGS) {
+        if (!cmd.includes(needle))
+            continue;
+        // Reading from a protected path is allowed at the classifier
+        // layer (the permission engine still gates `read`); writing is
+        // the trigger here. We say it is a write if any of: `>`, `>>`,
+        // `tee`, `cp`, `mv`, `mkdir`, `touch`, `chmod`, `chown`,
+        // `ln`, `rm`, `rsync`, `scp` appears in the same component, or
+        // if any of the structured write targets (sort -o, uniq two-arg,
+        // sed -i, awk-redirect) was extracted above.
+        if (writeTargets.length > 0 ||
+            /(^|\s)>>?\s*\S/.test(cmd) ||
+            /\btee\b/.test(cmd) ||
+            /\bcp\b/.test(cmd) ||
+            /\bmv\b/.test(cmd) ||
+            /\bmkdir\b/.test(cmd) ||
+            /\btouch\b/.test(cmd) ||
+            /\bchmod\b/.test(cmd) ||
+            /\bchown\b/.test(cmd) ||
+            /\bln\b/.test(cmd) ||
+            /\brm\b/.test(cmd) ||
+            /\brsync\b/.test(cmd) ||
+            /\bscp\b/.test(cmd)) {
+            return {
+                reason: `Write into protected path: ${needle}`,
+                matched: needle,
+            };
+        }
+    }
+    // Per-target protected-path / outside-workspace check. Catches both
+    // `sort -o ~/.ssh/config` and `echo x > /tmp/other` even when the
+    // target was not a substring of the raw command (e.g. quoted paths).
+    for (const target of writeTargets) {
+        for (const needle of PROTECTED_PATH_SUBSTRINGS) {
+            if (target.includes(needle)) {
+                return {
+                    reason: `Write into protected path: ${needle}`,
+                    matched: target,
+                };
+            }
+        }
+        if (looksAbsoluteOutsideWorkspace(target, ctx)) {
+            return {
+                reason: `Write target outside workspace: ${target}`,
+                matched: target,
+            };
+        }
+    }
+    return null;
+}
+/**
+ * Extract every write-target path the command produces. Covers:
+ *   - shell redirection `> file`, `>> file` (with optional whitespace,
+ *     skipping `>&1`, `>&2`, etc.)
+ *   - `sort -o file`
+ *   - `uniq <input> <output>` (the two-arg form)
+ *   - `sed -i <file>...` (in-place edit treats every trailing file as a
+ *     write target)
+ *   - `awk '... > "file"'` (quoted redirection inside an awk script)
+ *
+ * Conservative — we do not try to resolve shell vars or globs; the
+ * caller still gates absolute paths via `looksAbsoluteOutsideWorkspace`.
+ */
+function extractWriteTargets(cmd) {
+    const targets = [];
+    // Shell redirection (`>`, `>>`) with optional whitespace. Skip
+    // file-descriptor redirects (`>&1`, `>&2`, `2>&1`).
+    const redirRegex = /(^|[^0-9&])>>?\s*([^\s|;&<>]+)/g;
+    let match;
+    while ((match = redirRegex.exec(cmd)) !== null) {
+        const candidate = match[2];
+        if (!candidate || candidate.startsWith('&'))
+            continue;
+        if (candidate === '/dev/null')
+            continue;
+        targets.push(stripQuotes(candidate));
+    }
+    // sort -o <file>
+    const sortMatch = cmd.match(/\bsort\b[^|;]*\s-o\s+(\S+)/);
+    if (sortMatch && sortMatch[1]) {
+        targets.push(stripQuotes(sortMatch[1]));
+    }
+    // uniq <input> <output> (two-arg form). Three-arg uniq does not exist
+    // in POSIX, so the second non-flag arg is the output file.
+    const uniqMatch = cmd.match(/\buniq\b(?:\s+-[^\s]+)*\s+(\S+)\s+(\S+)/);
+    if (uniqMatch && uniqMatch[2] && !uniqMatch[2].startsWith('-')) {
+        targets.push(stripQuotes(uniqMatch[2]));
+    }
+    // sed -i [SUFFIX] <expr> <file>... — every trailing positional is a
+    // write target. We capture the tail after `-i` and treat each
+    // whitespace-delimited token that is not a flag as a target.
+    const sedMatch = cmd.match(/\bsed\b[^|;]*\s-i\b([^|;]*)/);
+    if (sedMatch && sedMatch[1]) {
+        const tail = sedMatch[1].trim().split(/\s+/);
+        for (const token of tail) {
+            if (token === '' || token.startsWith('-'))
+                continue;
+            if (token.startsWith("'") || token.startsWith('"'))
+                continue;
+            targets.push(stripQuotes(token));
+        }
+    }
+    // awk '... > "file"' or awk "... > \"file\""
+    const awkQuoteRegex = /\bawk\b[^|;]*?['"][^'"]*?>\s*['"]([^'"]+)['"]/g;
+    while ((match = awkQuoteRegex.exec(cmd)) !== null) {
+        if (match[1])
+            targets.push(stripQuotes(match[1]));
+    }
+    return targets;
+}
+function stripQuotes(s) {
+    return s.replace(/^["']|["']$/g, '');
+}
+/**
+ * Detect READ operations targeted at protected paths. Runs after
+ * `detectProtectedWrite` and before the READ_TOKENS fallback. The leading
+ * token must be in READ_TOKENS so that we do not double-flag writes
+ * (which `detectProtectedWrite` already covers).
+ *
+ * Re-uses the `write_protected` class to keep the permission matrix
+ * simple — the matrix already gates that class as deny in plan/dontAsk
+ * and ask elsewhere, which is the intended fail-closed posture for
+ * unrestricted credential reads.
+ */
+const READ_PREFIX_TOKENS = new Set(['grep', 'rg', 'less', 'more', 'fd', 'tree']);
+function detectProtectedRead(cmd) {
+    const firstToken = cmd.split(/\s+/)[0] ?? '';
+    const isReadTool = READ_TOKENS.has(firstToken) ||
+        READ_PREFIX_TOKENS.has(firstToken) ||
+        firstToken === 'sed' ||
+        firstToken === 'awk' ||
+        firstToken === 'find';
+    if (!isReadTool)
+        return null;
+    for (const needle of PROTECTED_PATH_SUBSTRINGS) {
+        if (cmd.includes(needle)) {
+            return {
+                reason: `Read from protected path: ${needle}`,
+                matched: needle,
+            };
+        }
+    }
+    return null;
+}
+function detectEnvWrite(cmd) {
+    // .env / .env.<suffix> writes — match `\.env\b` adjacent to a write
+    // op (redirection, tee, cp, mv into) or `rm`. Reading .env in shell
+    // (`cat .env`) is gated by the permission engine, not classified
+    // here.
+    const envHit = /(^|\s|\/)\.env(\.[a-zA-Z0-9_-]+)?(\s|$|[>])/m.test(cmd);
+    if (!envHit)
+        return null;
+    if (/>>?\s/.test(cmd) ||
+        /\btee\b/.test(cmd) ||
+        /\bcp\b.*\.env/.test(cmd) ||
+        /\bmv\b.*\.env/.test(cmd) ||
+        /\brm\b.*\.env/.test(cmd)) {
+        return { reason: 'Write touches .env file', matched: '.env' };
+    }
+    return null;
+}
+function looksAbsoluteOutsideWorkspace(target, ctx) {
+    // Strip surrounding quotes and shell expansion artifacts.
+    const cleaned = target.replace(/^["']|["']$/g, '');
+    if (cleaned.startsWith('~')) {
+        // Home-relative path; treat as outside unless it explicitly
+        // re-enters an allowed dir (we are conservative — `~/foo` is
+        // outside).
+        return true;
+    }
+    if (!cleaned.startsWith('/')) {
+        // Workspace-relative path (or shell var); allowed at this layer.
+        // The path-security layer in `path-security.ts` already gates
+        // traversal escapes for the file tools; the bash classifier
+        // cannot resolve shell vars so we trust them.
+        return false;
+    }
+    const allowedRoots = [ctx.workspaceRoot, ...ctx.additionalDirectories].map((p) => p.endsWith('/') ? p : `${p}/`);
+    const cleanedWithSlash = cleaned.endsWith('/') ? cleaned : `${cleaned}/`;
+    return !allowedRoots.some((root) => cleanedWithSlash === root || cleanedWithSlash.startsWith(root));
+}
+function detectNetwork(cmd) {
+    for (const prefix of NETWORK_PREFIXES) {
+        if (cmd.startsWith(prefix) || cmd.includes(` ${prefix}`)) {
+            return { reason: `Network operation: ${prefix.trim()}`, matched: prefix.trim() };
+        }
+    }
+    const firstToken = cmd.split(/\s+/)[0] ?? '';
+    if (NETWORK_TOKENS.has(firstToken)) {
+        return { reason: `Network tool: ${firstToken}`, matched: firstToken };
+    }
+    return null;
+}
+/**
+ * Normalize a POSIX-ish path without resolving symlinks. Used by the
+ * `cd ... && rest` boundary check so we can decide whether the
+ * destination is inside `workspaceRoot ∪ additionalDirectories`
+ * before we ever spawn /bin/sh.
+ */
+function normalizePosix(input, baseDir) {
+    const cleaned = input.replace(/^["']|["']$/g, '');
+    const expanded = cleaned.startsWith('~') ? cleaned : cleaned;
+    // ~ expansion is intentionally not done (it would force HOME read);
+    // a `cd ~/...` is treated as outside-workspace by default since the
+    // home directory is generally outside the workspace.
+    const isAbsolute = expanded.startsWith('/') || expanded.startsWith('~');
+    const start = isAbsolute ? expanded : `${baseDir.replace(/\/$/, '')}/${expanded}`;
+    const parts = start.split('/');
+    const stack = [];
+    for (const part of parts) {
+        if (part === '' || part === '.')
+            continue;
+        if (part === '..') {
+            if (stack.length > 0)
+                stack.pop();
+            continue;
+        }
+        stack.push(part);
+    }
+    return `/${stack.join('/')}`;
+}
+function isInsideAllowedRoot(absPath, ctx) {
+    const allowedRoots = [ctx.workspaceRoot, ...ctx.additionalDirectories];
+    for (const rootRaw of allowedRoots) {
+        const root = rootRaw.endsWith('/') ? rootRaw.slice(0, -1) : rootRaw;
+        if (absPath === root || absPath.startsWith(`${root}/`))
+            return true;
+    }
+    return false;
+}
+/**
+ * Detect `cd <path>` at the head of a component and decide whether
+ * the destination escapes the workspace boundary. Returns a
+ * classification when an escape is detected; otherwise null.
+ *
+ * Per spec: a command of shape `cd <path> && <rest>` should classify
+ * the cwd target — if `<path>` resolves outside the workspace, the
+ * overall class becomes `write_protected` regardless of `<rest>`.
+ *
+ * We treat `cd -` (last-dir) and `cd` (HOME) as escapes since the
+ * resulting cwd is not under our control.
+ */
+function detectCwdEscape(components, ctx) {
+    if (components.length === 0)
+        return null;
+    // Walk every component, threading a simulated cwd through the chain.
+    // Pure `cd <path>` components update the simulated cwd; anything
+    // else leaves it untouched. If any hop lands outside
+    // `workspaceRoot ∪ additionalDirectories`, the overall classification
+    // upgrades to write_protected. Subshells (`(cd foo && rest)`) are
+    // out of scope for M1 — the parent cwd is unaffected there, and the
+    // classifier already treats parentheses as part of the component.
+    let cwd = ctx.workspaceRoot;
+    for (let i = 0; i < components.length; i += 1) {
+        const trimmed = components[i]?.trim() ?? '';
+        const cdMatch = trimmed.match(/^cd(?:\s+(\S+))?\s*$/);
+        if (!cdMatch)
+            continue;
+        const target = cdMatch[1];
+        if (target === undefined || target === '-' || target === '~') {
+            return {
+                class: 'write_protected',
+                reason: `cd chain escapes workspace boundary at hop ${i + 1}`,
+                matched: `cd${target ? ` ${target}` : ''}`,
+            };
+        }
+        cwd = normalizePosix(target, cwd);
+        if (!isInsideAllowedRoot(cwd, ctx)) {
+            return {
+                class: 'write_protected',
+                reason: `cd chain escapes workspace boundary at hop ${i + 1}`,
+                matched: `cd ${target}`,
+            };
+        }
+    }
+    return null;
+}
+export function classifyBash(cmd, ctx) {
+    const normalized = cmd.trim();
+    if (normalized === '') {
+        return { class: 'unknown', reason: 'empty command', matched: '' };
+    }
+    // Full-command destructive check first. Patterns like the fork bomb
+    // (`:(){ :|:& };:`) and SQL-in-pipe (`echo X | mysql -e 'DROP ...'`)
+    // would otherwise split on `|` or `;` and the components would each
+    // look benign. We catch them by matching the destructive substrings
+    // against the raw command before splitting.
+    const fullDestructive = findDestructiveMatch(normalized);
+    if (fullDestructive) {
+        return {
+            class: 'destructive',
+            reason: `Destructive command pattern matched: ${fullDestructive}`,
+            matched: fullDestructive,
+        };
+    }
+    // Full-command obfuscation check. `curl ... | sh` splits into two
+    // benign-looking components (`curl ...` is network; `sh` is unknown)
+    // but the pipeline together is the remote-installer pattern we want
+    // to flag as unknown so the engine can fail closed.
+    const fullObfuscation = detectObfuscation(normalized);
+    if (fullObfuscation) {
+        return {
+            class: 'unknown',
+            reason: fullObfuscation.reason,
+            matched: fullObfuscation.matched,
+        };
+    }
+    // Compound-command split. We classify each component, then pick
+    // the most dangerous one as the overall class.
+    const components = splitCompoundRespectingQuotes(normalized);
+    // Cwd-escape check runs over the raw component list so the `cd`
+    // verdict trumps the `<rest>` classification even when `<rest>` is
+    // a benign `ls`.
+    const cwdEscape = detectCwdEscape(components, ctx);
+    const classified = components.map((c) => classifyComponent(c, ctx));
+    // Pick the worst component.
+    let worst;
+    for (const candidate of classified) {
+        if (!worst || CLASS_RANK[candidate.class] > CLASS_RANK[worst.class]) {
+            worst = candidate;
+        }
+    }
+    if (!worst) {
+        return {
+            class: 'unknown',
+            reason: 'no recognizable component',
+            matched: normalized,
+        };
+    }
+    // Cwd escape upgrades the class to at least `write_protected`. A
+    // destructive component still wins (the user might be trying to
+    // wipe a protected path AND escape cwd — we report the worse one).
+    if (cwdEscape && CLASS_RANK[cwdEscape.class] > CLASS_RANK[worst.class]) {
+        return {
+            class: cwdEscape.class,
+            reason: cwdEscape.reason,
+            matched: cwdEscape.matched,
+            components: classified,
+        };
+    }
+    if (classified.length === 1) {
+        return worst;
+    }
+    return { ...worst, components: classified };
+}
+/**
+ * Re-exported destructive-pattern source. The permission engine used
+ * to maintain its own `destructiveBashPatterns` array; that array
+ * now lives here as the single source of truth. Callers that need to
+ * audit the list (e.g. doctor output) read this export instead of
+ * duplicating the regex set.
+ */
+export function listDestructivePatterns() {
+    return DESTRUCTIVE_PATTERNS.map((p) => p.pattern);
+}
+//# sourceMappingURL=bash-classifier.js.map